On 02/14 06:06, V?t Ondruch wrote:
> Hi,
> 
> Could you please avoid bumping versions of bundled gems when fixing
> security issues? The version bump breaks the promise of point release to do
> not break anything and update safely.
> 
> Consider following simple case:
> 
> $ ruby -v
> ruby 1.9.3p374 (2013-01-15 revision 38858) [x86_64-linux]
> 
> $ rdoc --version
> rdoc 3.9.4
> 
> $ cat Gemfile
> gem 'rdoc'
> 
> $ cat testrdoc.rb
> require 'rdoc/rdoc'
> 
> options = RDoc::Options.new
> options.parse ARGV
> 
> rdoc = RDoc::RDoc.new
> rdoc.document options
> 
> $ bundle install
> Using rdoc (3.9.4)
> Using bundler (1.1.4)
> Your bundle is complete! Use `bundle show [gemname]` to see where a bundled
> gem is installed.
> 
> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
> Parsing sources...
> 100% [ 1/ 1]
> testrdoc.rb
> 
> Generating Darkfish format into /tmp/test374/doc...
> 
> Files:      1
> 
> Classes:    0 (0 undocumented)
> Modules:    0 (0 undocumented)
> Constants:  0 (0 undocumented)
> Attributes: 0 (0 undocumented)
> Methods:    0 (0 undocumented)
> 
> Total:      0 (0 undocumented)
>   0.00% documented
> 
> Elapsed: 0.0s
> 
> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
> Could not find rdoc-3.9.4 in any of the sources
> Run `bundle install` to install missing gems.
> 
> $ sudo yum update 'ruby*' # Or just install somehow new point release of
> Ruby
> 
> $ ruby -v
> ruby 1.9.3p385 (2013-02-06 revision 39114) [x86_64-linux]
> 
> $ rdoc --version
> rdoc 3.9.5
> 
> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
> Could not find rdoc-3.9.4 in any of the sources
> Run `bundle install` to install missing gems.
> 
> So what worked before update does not work now. This issue was introduced
> by rev39101 and there is another similar breakage rev39218 in the queue for
> release. Yes, this might be wrong design of Bundler, but considering how
> wide is adoption of Bundler, Ruby releases should respect it.

I'm the packager of ruby for OpenBSD, and I disagree with this. The
included gems that ship with Ruby releases (including patch releases)
should have versions that match the versions of the external gems with
the same content.

Ruby releases should not violate common sense just to work around
design flaws in ruby libraries, no matter how popular those libraries
are.

Jeremy